Sunday, August 8, 2010

Managing ADF Security Permissions Using Oracle Enterprise Manager 11g

One of my previous blog posts describes how to Manage ADF Security Using Oracle Enterprise Manager 11g. Today I will specifically describe how to manage ADF Security Permissions without application redeployment. It is very common use case, especially when using ADF libraries. Developers who are implementing ADF libraries, often even are not aware what application roles will be used from main application to protect ADF Task Flows, etc. Its extremely important to be able to manage application permissions after deployment and without redeployment.

Download sample application - ADFDeclarativePermissions.zip. This sample implements one ADF library application, it brings Employees ADF Task Flow region:


Main application consumes ADF Task Flow region from ADF library and defines mapping between Enterprise and Application roles (Financials and accountants):


Let's assume, at this moment we don't have any permissions defined for ADF Task Flow imported from ADF library:


Deployment will be done without granted permission for this ADF Task Flow, we will specify it later from Oracle Enterprise Manager 11g.

There is permission for main page defined - every authenticated user can open main page:


Application was deployed on standalone WebLogic server, scott/welcome1 user authenticates to access main application page:


Main page loads successfully, however region is not rendered - as expected:


This happens, because there is no permission defined for ADF Task Flow imported from ADF library, as you saw few steps above.

We could go back to JDeveloper, assign permission there and redeploy our application. However, in production environment its hardly acceptable by the management, usually we want to do a fix without redeployment to minimize application down time.

We can go to Application Policies section accessible through Oracle Enterprise Manager 11g instead:


Review current permissions (only one available for authenticated users to view main page):


We can create new permission - define permission class and grantee (application role - accountants):


First you need to define TaskFlowPermission class, it should point to the address of ADF Task Flow we are defining permission for. Specify permission action as well (view):


Add application role in grantee section. This means defined permission will be available for all the users granted with this application role (accountants):


Complete new permission screen:


Now we have two permissions available:


Without redeployment, ADF evaluates new permission for user granted accountants application role, and renders ADF region successfully:


24 comments:

Maniesh Sailoz (sid) said...

Andrejus

This is a nice post.

We have a similar requirement but don't use OEM.
Is it possible to include roles and permissions in ADF libraries?

thanks
Sid

Andrejus Baranovskis said...

Hi Sid,

Yes you can do this. You can implement same type functionality as it is provided by OEM. Need to use Oracle Security API.

Andrejus

jose luna said...

Hi Andrejus,
I have a problem with a Faces message.

I use a taskflow as inline popup, that taskflow is a form with some InputText and the user can commit the info in the form or exit the popup.

When the users commit the transaction they must be informed with the result of the operation.
That's where I use the Faces message, but there's something happening when the taskflows returns.

I'm calling the Faces message in the backing bean of the main jspx page (not in de taskflow used as inline popup) in the return method of the button that calls the taskflow.
The problem is that when I close the popup there must be something wrong with the adf life clycle, because is not showing anything.

I read in this OTN Discussion http://forums.oracle.com/forums/thread.jspa?threadID=614506 , about the Faces message execution, but it doesn't gives me an explicit or concrete solution to my problem. Do you have any idea about it, whether it's a way around or a configuration that I'm missing to perform?
I appreciate any help.
Looking foward to reading from you.
Thanks in advance.
José Luna.

Andrejus Baranovskis said...

Hi Jose,

May be this post will help you: http://andrejusb.blogspot.com/2010/01/auto-commit-use-case-in-oracle-adf-11g.html

Andrejus

jose luna said...

Hi Andrejus,
Thanks for the prompt answer. I think I didn't make myself clear (My english is very rusty...).
I'll try to explain you the hole scenario. I've got a JSPX wich calls a different taskflow as a pop-up. This pop-up is where the user fills the form. Once completed, the user may cancel or commit the operation, if he cancels the pop-up closes and thats it, but if the user commits, the pop-up closes but the user must get another pop-up, in this case I'm using this code in backing bean:

FacesContext fc = FacesContext.getCurrentInstance();
fc.addMessage(null, new FacesMessage(FacesMessage.SEVERITY_INFO, this.MENSAJE_EXITO,""));

This pop-up is ment to tell the user the result of the transaction. But when the application gets to this, in the ReturnListener's life cycle, this causes the message to be display only for a short period (almost a flash of a couple of milliseconds).


I mentioned the posts in the previous comment because what happens to me is somehow like this

"I am having a similar problem, in that I am resetting the view root to get a page refresh when I come back from a dialog. My faces message is not coming up either which I raise in the return listener.

I am thinking from other threads that somehow the faces context changes when you reset viewroot, and the messages are lost...does that sound like a plausible theory?"


I don't completly get this part: "...other threads that somehow the faces context changes when you reset viewroot...", is this true? if it is, could you explain me why? How can I achieve my goal of showing the second pop-up, but accessin the faces context that will remain active after all?

Thanks again.
All the bests
José Luna

Maniesh Sailoz (sid) said...

Andrejus,

My question was like this.

Our application is based on UI Shell pattern. We have one main application (for integration) and multiple applications from which we generate ADF library jars. Now all the ADF policies (page and task flow permissions).

How can we transfer the ADF policy information from these individual applications to the main application since ADF library jar doesn't do that? Presently i can only think of doing it manually.

thanks
sid

Andrejus Baranovskis said...

Hi,

You are right - manually.

Oracle is working on enhancement request, there will be automation in future releases.

Regards,
Andrejus

Dino Kantardzic said...

Hej Andreus I know this is a bit off topic but I have a huge problem I could really use your help with.
My Jdeveloper workspace has gone insane. I was going through the tutorial in the official Handbook and suddenly half of my libraries stopped working. My java beans started giving me import errors for the most basic libraries. I checked the view controller to see that the adf Runtime 11 was there (as suggested by a user on the forum) and it was there. I tried changing the system folder name, then when that did not work I tried reinstalling it and again same error

Error(6,29): package oracle.adf.controller does not exist
Error(6,41): package oracle.adf.view.rich.datatransfer does not exist
Error(7,41): package oracle.adf.view.rich.datatransfer does not exist
Error(8,32): package oracle.adf.view.rich.dnd does not exist
Error(9,34): package oracle.adf.view.rich.event does not exist

And lots more but I hope you get the picture. If you or anyone has an idea what I could try to do I would be eternally in their debt

Andrejus Baranovskis said...

Hi,

Make sure ADF Faces Rich Client and ADF Task Flow technologies are enabled, check this in project properties.

No need to remove system folder for this issue, its just libraries are not referenced correctly in your project. Try to create new application and compare what libraries are included and what no.

Regards,
Andrejus

Dino Kantardzic said...

Hey Andreus thanks for the quick reply.

I am not sure where exactly in the project properties I check that but if you are thinking of the selected project technologies then know that both ADF Faces and ADF Page Flow are in the selected list (the right hand list).

If its the Libraries then not sure which ones should be there ADF Runtime 11 is checked and there is a lot more of them all checked just not sure which ones should be there.

When I create a new Fusion Web Application (the only components that are automatically selected are ADF Business Components and Java. But I can add others (ADF Faces and Such)

Dino Kantardzic said...

Even when I make a new application, when I create a new java class I get the same errors (imoort not found).

These imports he recognizes

import oracle.binding.BindingContainer;
import oracle.binding.OperationBinding;
import oracle.jbo.domain.Number;


These Jdev does not recognize (there are others these are from one Java Class)

import oracle.adf.view.rich.datatransfer.DataFlavor;
import oracle.adf.view.rich.datatransfer.Transferable;
import oracle.adf.view.rich.dnd.DnDAction;
import oracle.adf.view.rich.event.DropEvent;

import oracle.adfinternal.view.faces.model.binding.FacesCtrlHierNodeBinding;
import org.apache.myfaces.trinidad.model.CollectionModel;
import org.apache.myfaces.trinidad.model.RowKeySet;

Andrejus Baranovskis said...

Hi,

What I can say - there is no magic, you need to check libraries. Try to run and check my project with Drag&Drop functionality (I see you missing these libraries) - http://andrejusb.blogspot.com/2010/02/dynamic-dashboard-ui-shell.html

Regards,
Andrejus

Dino Kantardzic said...

Andrejus thank you again for your reply.

I downloaded and opened your file and can see the libraries you have in the library node. I will just add all that I don't have. Just one question

Should I look at the View Controller Libraries or the Model Libraries when adding?

Dino Kantardzic said...

Also when I am looking at libraries I am looking at the Libraries and Classpath node in the project properties (be they model or view controller)???

Andrejus Baranovskis said...

It depends where your Java class is. But it must be in ViewController.

Andrejus

Dino Kantardzic said...

Andrejus I compared both the view and the model projects and their libraries and both yours and mine have the same libraries, except mine has a few more of them. Still mine has the errors and your project doesn't. I don't know what the problem is. But if I make a new application and copy the import code from one of my old java beans into the new application, and a new java bean I still get the error. Even though it doesn't use any of the imports it still gives me not found errors. Yet your thing compiles without any errors even when I copy some imports from my bean.

Dino Kantardzic said...

Andrejus do you have any other ideas or suggestions?

Andrejus Baranovskis said...

I dont know, you need to bring Red Samurai (me) onsite to solve this :)

Andrejus

Dino Kantardzic said...

Well I live in Bosnia and Herzegovina, the weather outside is 9 degrees and its raining. So I would think its in both our best interests for you to not come here :)

Andrejus Baranovskis said...

I'm from Lithuania, same weather here now. So, its not bad option to go to your place :)

Dino Kantardzic said...

Well alrighty then, Ill have sleeping arrangments set up. One thing we do have in Bosnia that is on a heavenly level is the food so when shopping here buy everything one size bigger than usual

Andrejus Baranovskis said...

:)

Admir said...

Hi Andrejus,

i know it's off topic but i have some questions about adf security. I need to setup security on my application using sso..sso api is provided by 3rd party (i must use their login and logout servlets)..is there any way i can set security in my adf application to use their servlets (i'm using jdev 11g)

Anonymous said...

how to map application roles through jdeveloper(actually we do in em console instead is it possible to map through jdeveloper)